Process Fields
editProcess Fields
editThese fields contain information about a process.
These fields can help you correlate metrics information with a process id/name from a log message. The process.pid
often stays in the metric itself and is copied to the global field for correlation.
Process Field Details
editField | Description | Level |
---|---|---|
process.args |
Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword example: |
extended |
process.args_count |
Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. type: long example: |
extended |
process.command_line |
Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. type: keyword example: |
extended |
process.executable |
Absolute path to the process executable. type: keyword example: |
extended |
process.exit_code |
The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). type: long example: |
extended |
process.name |
Process name. Sometimes called program name or similar. type: keyword example: |
extended |
process.parent.args |
Array of process arguments. May be filtered to protect sensitive information. type: keyword example: |
extended |
process.parent.args_count |
Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. type: long example: |
extended |
process.parent.command_line |
Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. type: keyword example: |
extended |
process.parent.executable |
Absolute path to the process executable. type: keyword example: |
extended |
process.parent.exit_code |
The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). type: long example: |
extended |
process.parent.name |
Process name. Sometimes called program name or similar. type: keyword example: |
extended |
process.parent.pgid |
Identifier of the group of processes the process belongs to. type: long |
extended |
process.parent.pid |
Process id. type: long example: |
core |
process.parent.ppid |
Parent process' pid. type: long example: |
extended |
process.parent.start |
The time the process started. type: date example: |
extended |
process.parent.thread.id |
Thread ID. type: long example: |
extended |
process.parent.thread.name |
Thread name. type: keyword example: |
extended |
process.parent.title |
Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. type: keyword |
extended |
process.parent.uptime |
Seconds the process has been up. type: long example: |
extended |
process.parent.working_directory |
The working directory of the process. type: keyword example: |
extended |
process.pgid |
Identifier of the group of processes the process belongs to. type: long |
extended |
process.pid |
Process id. type: long example: |
core |
process.ppid |
Parent process' pid. type: long example: |
extended |
process.start |
The time the process started. type: date example: |
extended |
process.thread.id |
Thread ID. type: long example: |
extended |
process.thread.name |
Thread name. type: keyword example: |
extended |
process.title |
Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. type: keyword |
extended |
process.uptime |
Seconds the process has been up. type: long example: |
extended |
process.working_directory |
The working directory of the process. type: keyword example: |
extended |
Field Reuse
editField sets that can be nested under Process
editNested fields | Description |
---|---|
Hashes, usually file hashes. |